-----BEGIN PGP SIGNED MESSAGE-----
At 09:24 PM 19-07-99 +0100, Ben Laurie wrote:
>So what you are saying is that you'd be happy to run your
>server forever on an inital charge of 128 bits of entropy
>and no more randomness ever?
>
>Really?
>
>This model should work for all the servers in the world, of
>course (operating from a single initial charge of 128 bits
>shared between them). Are we all happy?
If the mechanism generating the bits from the seed is
secure, the seed is not susceptible to compromise anywhere,
and the seed is large enough that nobody has a nonnegligible
chance of guessing them, then yes, I would say we all ought
to be happy.
Suppose I replace your hardware random number generator with
the ANSI X9.17 key generator, with a totally random 112-bit
key, and a working timer that increments at least once per
thousand outputs or so. How will you tell the difference?
How will an attacker tell the difference? I believe he has
to break two-key triple-DES to tell the difference, or else
he has to get inside your device and compromise that key.
Suppose God, in a fit of budget-consciouness, decides to get
rid of all this wasteful hardware for generating random
numbers that are necessary for quantum mechanics, and
instead replaces them with a PRNG with a 256-bit seed. In
this case, all hardware noise sources are ultimately tapping
into this same seed and PRNG. How will you, or anyone, tell
the difference? (This assumes that God can find some good
pseudorandom function families, of course.)
>Cheers,
>
>Ben.
- --John Kelsey, Counterpane Internet Security, [EMAIL PROTECTED]
NEW PGP print = 5D91 6F57 2646 83F9 6D7F 9C87 886D 88AF
-----BEGIN PGP SIGNATURE-----
Version: PGPfreeware 5.5.3i for non-commercial use <http://www.pgpi.com>
iQCVAwUBN5YqhyZv+/Ry/LrBAQEqsgP+MlQYzbDEO93/VmSLPJPR+CTDyPToNyrg
DmTpOkOAI5KKSWkOibcoYFT4l0h5mwuc7u6dUu7e7oPyl00si+Y5kidLRn5+zGJB
QTjWGtl0N8URfHjHAuEfH3hA1KCf60vL/Y3yzPCsCgL5hqOo+ZsHsne6m05wt5Ym
hQ4o5cW4k2M=
=jwEj
-----END PGP SIGNATURE-----
